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We present a rigorous framework for the composition of Web Services within a higher order logic 
theorem prover. Our approach is based on the proofs-as-processes paradigm that enables inference 
rules of Classical Linear Logic (CLL) to be translated into 7T-calculus processes. In this setting, 
composition is achieved by representing available web services as CLL sentences, proving the re- 
quested composite service as a conjecture, and then extracting the constructed 7T-calculus term from 
the proof. Our framework, implemented in HOL Light, not only uses an expressive logic that allows 
us to incorporate multiple Web Services properties in the composition process, but also provides 
guarantees of soundness and correctness for the composition. 



1 Introduction 

The general aim of the current research is to design and implement a rigorous framework for the compo- 
sition and formal verification of Web Services based on higher order logic. Our approach is motivated by 
recent work on the automated composition of Semantic Web Services using Intuitionistic Linear Logic 
that has shown promising results Il22ll23ll . 

We focus mainly on the complex task of quality-driven Web Services composition. This involves 
the appropriate collection and combination of multiple Web Services in order to achieve a composite 
service that can perform a complex task. The composition needs to take into consideration non-functional 
restrictions, including location, cost, and time, and be quality-driven because the system should ensure a 
user- specified Quality of Service based on the quality provided in each of the participating Web Services 
descriptions. The complexity of the task is compounded by the dramatic increase in available Web 
Services, as well as the great variety of conceptual models used for the descriptions of the services. 



1.1 Overview 

Our aim is to deploy our system as an automated, offline (as opposed to on-the-fly) Web services com- 
poser. Using an expressive logic allows the system to incorporate all of the aforementioned information 
when composing the services. However, this also means a need to maintain a balance in the tradeoff 
between expressiveness and decidability. We believe the latter to be important since decidability directly 
affects the degree of automation and, therefore, the user-friendliness of the system. 

The compositions are accomplished using the proofs-as-processes paradigm as introduced by Abram- 
sky HI and Bellin and Scott [3 ]. Abramsky showed the relevance between a Classical Linear Logic (CLL) 
[8] proof and the 7r-calculus [17] by modifying the Curry-Howard isomorphism and using the formulae- 
as-types paradigm [12 ]. Proofs are viewed as 71-calculus processes (instead of A -calculus functions). 
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Bellin and Scott formalised Abramsky's translation of a fragment of CLL to TT-calculus and provided 
proofs of soundness and correctness of the translation. 

We exploit this translation by producing Web Services compositions as CLL proofs, with the re- 
quested service set as a conjecture in each case. The 7i-calculus representation of the composite service 
is then extracted by translating the proof based on the proofs-as-processes paradigm. 

Our implementation is being developed within the higher order proof assistant HOL Light [ 10]. The 
system has equality as the only primitive concept and a few primitive inference rules that form the basis of 
more complex rules and tactics. Built on top of these, HOL Light has automated methods for proofs such 
as model elimination [9] and decision procedures. Additionally, it has an array of conversion methods 
that allow for very efficient and fine-grained manipulation (such as rewriting or numerical reduction) and 
automatic proofs of formulas. The system is based on the LCF approach Ifl9l . which, guarantees that 
any proved theorem is a logical consequence of the primitive axioms. 



1.2 Motivating Example 



We consider the case of ordering a ski set, as presented by Rao et al. |23l . In this, we compose a 
core service with value-adding services, ie. services that have minor, independent functionality, such as 
currency or measurement conversion, that can be used as addons to the core functionality. The core 
service "selectSki", returns the price in US dollars of a ski set using the ski length, brand, and model as 
input parameters. There are also various value-adding services whose functionality is demonstrated in 
the diagram provided in Figure [T] The requested composite service must return the price of a ski set in 
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Figure 1: Diagrams of the available services for the Ski example. 



Norwegian Crowns (NOK) given the user's height, weight, and skill level as well as a price limit. The 
diagram of the requested service can be found in Figure |2| Some non-functional attributes have been 
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Figure 2: Diagram of the requested service for the Ski example. 



attached to the services. A cost of 10 NOK is attached to "selectBrand" and 20 NOK for "selectModel", 
the "USD2NOK" service only replies to requests that are certified by Microsoft and the "selectSki" 
service is located in Norway (note that this information is not apparent in the diagrams). 

In Section[2| we will describe the theoretical background of our work by briefly explaining the main 
concepts of CLL and the 7r-calculus. Then, in Section[3j we introduce the CLL to 7r-calculus translations 
of the original proofs-as-processes paradigm and give an intuitive interpretation for some of the rules. 
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In Section |4] we present the results we obtained from our system for the Ski example, followed by an 
overview of the related work in Section [5] We conclude in Section [6] with our plans for future work. 

2 Background 

In this section, we discuss some of the theoretical background of the proofs-as-processes paradigm. In 



particular, we briefly explain the main concepts of Classical Linear Logic in Section 2.1 and 7r-calculus 



in Section 2.2 We focus on how these two languages can be used to describe Web Services, which is the 



first step towards achieving Web services composition using the proofs-as-processes paradigm. 
2.1 Classical Linear Logic 

Girard proposed linear logic (LL) as a refinement to classical logic JH. In LL, the emphasis is not merely 
on the truth of a statement as in the classical logic but also on formulas that represent resources. The 
classical rules of contraction and weakening are not allowed in LL and therefore assumptions cannot be 
ignored or copied. For example, if a constant A is assumed twice, it is considered a distinct case than 
when it is assumed once. In order to achieve a proof, all assumptions must be "consumed" as resources. 
Contraction and weakening rules are only used on assumptions with additional modal connectives called 
exponentials, such as the "of-course" operator "!". The use of these connectives allows for classical logic 
to be encoded within LL. In computer science, LL has been used as a direct and declarative approach to 
reasoning about various computational models related to services such as Petri Nets [18]. 

2.1.1 Description 

For the purposes of Web Services representation and composition, we aim to use propositional Classical 
Linear Logic (CLL). This version of LL includes multiplicative conjunction and disjunction, additive 
conjunction and disjunction, linear negation and the of-course and why-not operators (also referred to 
as exponentials). All these operators can be intuitively interpreted in the context of resources for Web 
services and we informally discuss the semantics for some of them next: 

• Multiplicative conjunction or the "tensor" operator (A®B) indicates a simultaneous operation 
which, in the context of resources, refers to the simultaneous production of A and B. In order to 
prove A ® B, the set of available resources must be split in two subsets, one that can achieve A and 
one that can achieve B. Multiplicative conjunction can be seen as the counterpart of conjunction 
in classical logic. In the context of Web Services, multiplicative conjunction can also be used to 
represent quantities of consumable resources such (most typically) money and time. 

In our Ski example, the selectModel service outputs the selected brand and a particular model 
simultaneously. If we represent these outputs as resources in CLL, the selectModel service 
output would be (BRAND® MODEL). 

• Additive disjunction or the "plus" operator (A © B) can be viewed as the equivalent of exclusive 
disjunction in classical logic and indicates that either of A or B are produced but not both. When 
representing Web Services, additive disjunction can be used to indicate alternative results. Most 
typically it is used to express the possibility of a Web Service throwing an exception instead of 
producing the expected result. It is worth mentioning that most web services composition method- 
ologies do not take exceptions into consideration. 
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In our example, the selectSki service may fail to return the price of the selected ski if, for 
example, the particular model is out of stock or is not available for the given length. In this 
case, selectSki will output an exception. In CLL we can represent the output of selectSki as 
(PRICE USD EXCEPTION) . 

• Linear negation in CLL obeys similar laws to those of classical negation. The symmetry of 
CLL becomes evident in the connection of the dual operators through linear negation. For example, 
negating the tensor operator ((A&B)- 1 -) results in a "par" operator (A ±2 $ B- 1 -). 

In general, we use negated CLL terms to represent input (as opposed to output for non-negated 
terms). For example, the input of the Cm2Inch process can be represented as (LENGTH JCM L ). 

• The of-course (LA) and why-not (?A) operators (also refered to as "exponentials") are used to 
represent unlimited resources. They allow controlled versions of the weakening and contraction 
rules. Essentially, these correspond to the replication of a resource as many times as necessary. 
For example, in the context of Web Services, functional parameters such as input and output are 
reusable in contrast to states which, once "consumed" through a state transition, are no longer 
applicable. 

Generally, a two-sided sequent calculus is used for the representation of the CLL inference rules. 
The left and right versions of each inference rule serve the purpose of handling a connective on the left 
or right hand side of the turnstyle respectively. However, given the observation that T h A is equivalent 
to h T- 1 , A we can eliminate half of the rules by using a one-sided sequent calculus representation. This 
has an important impact in the automation of CLL proofs, as the number of available inference rules in 
the proof search is effectively halved. We note that Bellin and Scott also use a one-sided sequent calculus 
representation for CLL in their work. 

The one-sided sequent calculus versions of the inference rules for the multiplicative-additive frag- 
ment (MALL) of CLL (ie. without the exponentials) are presented in Figure [5] We note that, in this 
particular figure, the rules are annotated using process calculus channel names (see Section [3] for more 
details). From here on in this paper, unless otherwise stated, every reference to CLL corresponds to 
MALL as this is the fragment we are currently focused on. In the future, we plan to increase the expre- 
siveness of our system by extending the logic to the full CLL, although the latter is undecidable |[T3l . 



2.1.2 Describing Web Services using CLL 

Inspired by the translation of Web Services to Intuitionistic Linear Logic (ILL) proposed by Rao ll22l . we 
utilise a similar approach for CLL. The CLL syntax has significant differences from ILL though; the most 
important being the lack of linear implication. As already mentioned, we have chosen to interpret negated 
terms as input and normal terms as output since this appears somewhat more intuitivd^ The resulting 
formula is shown in Figure [3j Note that we have only kept functional properties of web services, ie. 
input (I), output (O), preconditions (P) and effects (F). This formula can be expanded to incorporate 
non-functional properties, such as cost and time. 

Following this formula, the translation of the available services and the request service of the Ski 
example (see Figures[T]and[2]) in CLL are shown in Figure|4] We note that these translations are annotated 



with process calculus terms using the ": : " and ":" operators. These are explained in Section 3.1 

This formula also forms the basis for the translation of Web Services described in a variety of lan- 
guages, including WSDL 0, BPEL4WS or, in the case of Semantic Web Services, OWL-S lfT5l . 



'The duality of the CLL connectives allows this arbitrary choice (3). 
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h p,7,((®F)®(®o))e£) 

i i 

Where: ®(ai, «2, •■•,«») = «i ®«2 <8> ■•■ <8)a« 

Figure 3: The CLL representation of a Web Service. 
Available services: 

h SelectModelw smp : PRICE JIMIT^, sms:SKILL_LEVEL L , sso .(BRAND® MODEL) 
h SelectLength:: slh: HEIGHT JZM L , slw.W EIGHT JCG 1 , s/Z .LENGTH CM 
h Cmllnch : : cic : LENGTH. CM 1 ^ , cii : LENGTH JN 
hUsdlNok:: umi:PRICE.USD ± , unn: PRICE JVOK 

h SelectSki:: ssl -.LENGTH JN ± , ssb:BRAND ± , ssm.MODEL 1 , sso .(PRICE. USD® EXCEPTION) 

Request: 

hP:: x:PRICEMMIT ± , y:SKILLXEVEL ± , z: HEIGHT. CM^ , w.W EIGHT JCG ± , t .(PRICE JNOK® EXCEPTION) 

Figure 4: The available services and the request for the Ski example translated into CLL with process 
annotations. 

the follow-up of DAML-S Q (used by Rao et al. as part of their work), into CLL. The details of these 
translations are beyond the scope of the current paper though. 

2.2 The ^-calculus 

The 7r-calculus is a formalism aimed at the description of concurrent processes ifTTIl . The name is used to 
show the connection to the A -calculus as a minimal, abstract representation. In the 7r-calculus, processes 
are described atomically as independent entities. They are attached to channels that use variables to 
denote the input or output of the process. 

2.2.1 Description 

The syntax of the polyadic TT-calculus is presented by the following grammar: 

P::=x{y).P\x{y).P\P\\P\P + P\ {vx)P \ IP \ 

A channel x attached to process P that allows it to receive a message that will be bound to the vector of 
names y is represented as x{y).P. Similarly, x(y).P depicts a process with channel x that can send a mes- 
sage through name y as output. It is worth noting that the infix dots in these two cases are often omitted 
for simplicity. The expression P\\P describes the parallel composition of two processes whereas (vx)P 
describes a vector of names x that is local to P. Finally, IP describes a process P that can be replicated 
and represents the "nil" process that has no functionality. Note that in some more minimal versions, the 
non-deterministic choice P + Q between two processes P and Q is excluded from the syntax. It is worth 
remarking also, that there is no explicit representation of sequential processes. Interactions between par- 
allel processes are represented as reductions of the 7i-calculus terms (similar in form to the reductions of 
A-calculus). There are other extensions to the 7r-calculus syntax and other important concepts such as 
bisimulation equivalence (or bisimilarity) ll26l which go beyond the scope of the current work. 
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Reductions of 7i-calculus terms are defined formally using a set of rules. We will only present the 
most significant reduction rule that describes the interaction between two parallel processes: 

(... + x(a).F)\\(... +x(b).C) -> F[b/a]\\C (1) 

The communication described here happens between process C with output b over channel x and 
process F with input a over the same channel x. The processes run in parallel (denoted by the "||" 
symbol) and for their interaction C sends b to F over x yielding F\\C where each free occurence of the 
names in a in F is replaced by the names in b. It must be noted that the above interaction is only allowed 
if the two involved vectors a and b have the same size. 

Moreover, in addition to the reduction rule, a set of rules is defined that allow us to express structural 
congruence (=) relations between processes. For example, P + = + P = P, P\ |0 = 0| \P = P and 
IP = P\\IP are all defined as structural congruence rules. This concludes a general overview of the 
7r-calculus, its reductions, and its intuitive interpretation. 

The ^-calculus has formed the basis for a variety of process algebras used to describe the communi- 
cation between agents, including LCC |[24l and BPEL4WS [2 ]. Additionally, there are multiple available 
tools that perform a variety of tasks involving 7i-calculus terms. For example, the Mobility Workbench 
(MWB) ||29l performs checks for open bisimulation equivalences [26] (which roughly corresponds to 
checking agents for equivalent behaviour) and the PiVizTool H is a tool written in Java that can graph- 
ically represent agents described in 7r-calculus and allows a step by step, user-controlled monitoring of 
the interactions in a multi-agent environment. 

3 The proofs-as-processes paradigm 

In the proofs-as-processes paradigm, Bellin and Scott |f3l give a corresponding 7i-calculus term for each 
of the CLL inference rules. As the inference rules are applied within a proof, these correspondences 
allow the construction of a 7i-calculus term that corresponds to the entire proof. At the end of the proof, 
it is guaranteed that applying the possible reductions at the resulting 7r-calculus term corresponds to the 
process of cut-elimination in the proof. This means that the cut-free version of the proof corresponds to 
an equivalent TT-calculus term that cannot be reduced further. 

3.1 Description 

Bellin and Scott attach free variables as proof annotations to every CLL sequent. Each of these variables 
corresponds to a 7i-calculus communication port. Moreover, the process calculus term attached to the 
rule is dependent on the processes attached to each of the premises of the rule and the process annotations 
of the involved sequents. For example, let us consider the "tensor" rule for CLL including the process 
annotations as shown below: 

: F : G 

h w:T, x:A h u: A, y :B 
hw:T, u:A, z:A®B ® (2) 

Processes F and G are attached to the two premises of the rule based on any previous proof steps. The 
process calculus term attached to the rule, also refered as the "translation" of the rule to the 7r-calculus 
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is given by the following term: 

x,y 

(g)(F, G)wuz = vxy(z{xy) (F$ x \ \G tty )) (3) 

z 

We note that term ^ is dependent on processes F and G and also on the channel names x, y, w 
and u attached to the involved sequents. The free variables found in the annotations of the sequents of a 
conclusion of an inference rule are ensured to be exactly the same as the free names of the corresponding 
71-calculus term for that rule, in this case z, w, and u. Following a syntax closer to the one used in type 
theory, we can also represent the same annotated rule and corresponding translation using the : : operator 
as follows: 

hF:: w:T, x:A hG:: u:A, y:B 

x,y 

h <g)(F,G)wuz:: w:T, u:A, z:A®B (4) 

z 

The seven basic CLL inference rules and their process correspondences are shown in Figure[5] Before 
analyzing and giving a practical, intuitive explanation for some of these correspondences, we should note 
the two choices made in them. The symmetry of CLL allows for two equivalent, symmetric 7i-calculus 
translations for the identity axiom and the ® and 3? operators. We have chosen to translate positive atoms 
and the ® operator as senders while we translate negative atoms and the ^ operator as receivers. We 
examine some of these rules from Figure [5] and their translations more closely next: 

The identity axiom The identity axiom h x : A, y : A 1 - can be intuitively translated given the aforemen- 
tioned choices to y{a)x{d). The resulting process receives a message a through the channel y of the 
negative literal and sends the same message a through the channel of the positive atom x. Such a process 
is refered to as an axiom buffer. 

The ® rule The "tensor" rule must intuitively correspond to a channel z that sends two messages x and 
y corresponding to the literals A and B (that are involved in F and G respectively) simultaneously. The 
given translation satisfies our intuition. It sends both x and y through channel z followed by the parallel 
execution of F and G. 

The © rules The © operator provides the means to ignore an argument or, consequently, a channel. In 
the first rule, for example, we expect to receive two names u and v corresponding to the channels for A 
and B respectively through a common channel z. The process ignores the second name v and uses the 
first one u to send x before invoking P. The process for the second rule is symmetric as it ignores the first 
name u and sends y through v. 

The Cut rule The Cut rule is perhaps the most significant rule as far as process interactions are con- 
cerned. We already discussed that applying cut-elimination to the proof corresponds to performing re- 
ductions in its 7r-calculus translation. Therefore, the Cut rule corresponds to a reduction/interaction 
between processes F and G. Additionally, the interaction will take place through the ports corresponding 
to the literal being cut, namely C. Thus, port x will be connected to port y to form a common channel z. 
The two processes are expected to interact through this common channel z when invoked in parallel. It 
is worth noting that there are no assumptions made whatsoever about which of the two services will be 
the receiver and which will be the sender. 
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CLL inference rule 

\-x:A, y.A 1 - 

: F : G 

h vv:L, x:A h ;7: A, y.B 
\- w:T, u: A, z:Ag)5 



^-calculus translation 

/xy = y(a)x{a) 

<g)(F, G)ww = vxy(z<*>') (F fe | |Gjh)) 



I- jr:A, y:B 
I- w:T, ziA^S 



7§(F)wz = z(xy)F^ 
z 



WAV 



\-w:T, x:A 
\-w:T, z:A®B 



L(P)wz = Vx{z(uv)u(x)P$ x 



: Q 
hw:f, y.B 

hw:T, z:A®B 



R{Q)wy=vy{z{w)v{y)Q s , y ) 



: p : Q 

hw:L, x:A hw:f, y.B 
\-w:T, z:A&B 



& 



&(P, g)wz = V«v(z{ M v) [«(*)P fe + vOO&jJ) 



: F : G 

h3:r, x:C h v:A, y.C 1 
\- u-.r, v: A 



Cut 



Cut* (F, G)3v = v z (F s [z/x] 1 1 Gj,[z/y] ) 



Figure 5: The CLL inference rules annotated with channel names and the corresponding 7r-calculus 
processes. 

Similar informal justifications can be given for rules involving 3? and &, but will be omitted here due 
to space limitations. We should also note that ^-calculus replication (\P) is only used in the translations 
of the of-course and why-not rules which, as mentioned previously, are not currently part of our system. 
Despite that fact, our language is sufficiently expressive to describe useful Web Services compositions, 
as demonstrated in Section 0] 



3.2 Achieving Web Services composition 

The proofs-as-processes paradigm allows us to create Web Services compositions described using the 
TT-calculus by performing CLL proofs. In short, the available Web Services descriptions are specified as 
CLL sentences as we discussed in Section 2.1.2 Then we construct a CLL description of the requested 
composite service and attempt to prove it as a conjecture. Using our defined logic, proving the requested 
service R from the available services A, corresponds to proving the following goal: 

M M ... A n 

R 
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Assuming the proof (ie. the composition) can be accomplished, the resulting lemma will correspond 
to a valid logical representation of the requested service. We will have, therefore, proven that such a 
service exists and can be constructed using the set of available Web Services. Moreover, the 7r-calculus 
translation of the proof will provide a full description of the structure of the composite service. 



4 Results 



We begin the result analysis by explaining the setup of our implementation for the ski example in Section 



4. 1 This is followed by a brief description of the obtained results in Section 4.2 and by a description of 



the execution of the resulting TT-calculus process as an empirical verification in Section 4.3 



4.1 Setup 

Our system is built within the higher order logic (HOL) proof assistant HOL Light. More specifically, 
we have embedded MALL and the TT-calculus syntax within HOL Light, while making sure proof anno- 
tations and process calculus term construction are supported. 

The embedding of the 7i-calculus is based on the work of Melham in HOL88 fToH . It includes the 
basic, polyadic 7r-calculus syntax, a few simple functions about names, and substitution. Formalising re- 
ductions, structural congruence rules, and bisimulation rules may prove useful for further meta-theoretic 
reasoning, but is currently beyond the scope of our project. 

For the MALL embedding we followed the work of Power et al. [21 ] and Sadrzadeh E51l in Coq. We 
follow a similar methodology, although we use multisets instead of lists of sequents, and thus have no 
need for an Exchange rule to swap the order of sequents in a sentence. 

Supporting 7i-calculus proof annotations and enabling process calculus term construction in the style 
of type theory was a fairly challenging task. We achieved this by including the channel names and the 
proofs-as-processes translations as logical terms within the embedding of each MALL inference rules. 
Our custom tactics allow us to accomplish CLL proofs of CLL statements with 7r-calculus annotations 
using these combined rules while constructing the 7i-calculus translation simultaneously. Their function- 
ality is based on the use of metavariables as we further explain in the next section. 

Having implemented this system as an embedded logic within HOL Light guarantees the correctness 
of the involved proofs. Given the soundness and correctness proofs of Bellin and Scott for the proofs-as- 
processes paradigm, this also guarantees the correctness of the composite service, ie. that the resulting 
TT-calculus service will indeed have the expected behaviour. 

we 



We will use the Ski example to demonstrate the functionality of our system. In Section 2.1.2 



presented the CLL translations of the available services as well as the translation of the requested service. 



Based on the scheme described in Section 3.2 achieving the desired services composition is equivalent 



to proving the requested service as a conjecture. We, therefore, need to prove the following lemma: 
3P. h P : : x : PRICE ±IMIT L , y : SK1LL±EVEL L , z : HEIGHT CM 1 , 

(5) 

w : WEIGHT JCG , t : (PRICE _N OK EXCEPTION) 



We note that the existential quantification of P is not at the embedded level of CLL but rather at the 
HOL (meta) level. It allows us to find the process P for which this sentence holds, ie. the composite 
service that satisfies this specification. 
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4.2 Proof and obtained results 

The proof of ([5]) is shown in Figure [6] Note that the CLL propositions are abbreviated, eg. HC stands 
for HEIGHT _CM, and the process calculus annotations have been omitted for a cleaner presentation. 
Moreover, the neg_eq step in the proof is an abbreviation of the usage of the Cut rule with a lemma 
involving negation. As each of the CLL inference rules is applied in the proof, the composite process 
P is gradually constructed based on the corresponding process calculus translations of the proofs-as- 
processes paradigm (see Figure [5]). 



: : SelLen , CmUnch 

h HC- 1 , WK 1 . LC h LC 1 , LI 

: : SelMod : : Cut 

h PL 1 , SL 1 , BR® MO h HC 1 , WK 1 , LI 

® 

h PL 1 , SL 1 - , HC 1 , WK 1 , (BR ® MO) <g> LI (6) 



: UsdlNok : Id 

hPU 1 , PN h EXE , EXE 

SelSki 



h BR 1 , MO 1 , LI 1 , PU EXE hPV 1 ,PN®EXE h EXE 1 , PN © EXE 

1 — , — — _ & 



h BR 1 MO 1 , LI 1 , PU © EXE h PU- 1 & EXE^ , PW © EXE 

neg_eq 



h (BR 1 ^ MO 1 ) 7 ? LI 1 , PU(&EXE h (PUeEXE) 1 , PN®EXE 
! ! ! C«( 

h (BR ^MO ) ^LI , PN®EXE 
neg_eq 

h ((BR® MO)® LI) 1 , PN® EXE ,_. 
Cut with \(y\ 

hPL 1 ,SL 1 ,HC 1 ,WK 1 ,PN®EXE LJ (7) 



Figure 6: The proof of the requested service of the Ski example in CLL. 

Without delving into too many technical details, we accomplish this by introducing Pas a metavari- 
able that is matched to the translation of the first rule being applied to the goal (assuming we are following 
the proof backwards), ie. the Cut rule. This turns P into an instantiation of vz(Fa[z/x]||G^[z/y]) where 
any matched variables have also been instantiated. 

Any unmatched variables in this new form are also introduced as metavariables that are in turn 
instantiated in the next proof steps. For example, G eventually becomes the process corresponding to part 
([6]> of the proof (see Figure [6]). It is first introduced as a new metavariable that is gradually instantiated 
as the proof progresses. 

If one of the available services' CLL statements (see Figure [4]) is used to match one of the CLL 
sentences at the top of the proof tree, this will instantiate one of the metavariables and the service will 
then be introduced as a component in the 7r-calculus representation of the composite service. 

Any unmatched metavariables at the end of the proof are left as fresh, free variables in the 7T-calculus 
result. In the above example of vz{Fu[z/x] \\G^[z/y\), z is the variable representing the channel connecting 
F and G and will never be matched as it never appears in the proof. It is in fact kept as a fresh variable 
and renamed to z\ to avoid variable clashes in our result. 

The ^-calculus term that was constructed following this methodology by our proof for the Ski 
example (denoted as Composition(smp,sms,slh,slw,t,puc,exc)) is presented in Figure [7] It is im- 
mediately apparent that the complexity of this term prohibits any attempt to fully analyse its func- 
tionality on paper. Only some of its parts are clear and can be analysed. For example, the subterm 
(v zs){SelLen[z}, / sll] \ \ Cm2Inch[zs / cic\) represents the interaction between port sll of the SelLen ser- 
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Composition(smp,sms, slh, slw,t,puc,exc) = 

(vzi) 

((v smo,cii) 
(zi{smo,cii) . 

(SelMod || (v Z3)(SelLen[zi/sll] \\ Cm2Inch[z3 / cic})) 
) II (VZ4) 

( ( (zi (jcs , ssl) .x$ (ssb, ssm) .SelSki[z4 / sso] ) 1 1 

(V U 7 ,V 7 ) 

((U((U7,V 7 )). 

({u 7 {unu).{v unn)(t(u%,v^).u%(unn),Usd2Nok))-\- 
(v 7 (y 7 ).(vy 9 )(t(u 9 ,v 9 ).v§(y 9 }.y 7 (a w )-y9(a\o)-0))) 

)) 

) 

) 

Figure 7: The resulting ft-calculus formula from the Ski proof. 

vice and port cic of the Cmllnch service]^] Essentially, this is a composite subprocess that selects the ski 
length in inches (rather than in centimeters). It resulted from the application of the Cut rule using lemma 
([6]> in the proof. 

It is worth noting that the resulting services composition makes no assumptions about the form 
of the component services. In our example from Figure [7] the TT-calculus term includes component 
processes such as SelLen, SelMod, SelSki, etc. as "black boxes" with hidden functionality. The only 
known properties of the component services are the input and output ports as defined in their CLL 
representation. For example, SelLen is defined as follows (see Figure [4]): 

h SelLen:: slh:HC L , slw.WK 1 , sll:LC 

Therefore, it is only assumed that it has input ports slh and slw and output port sll. 

4.3 Execution 

Once the 7i-calculus composition is extracted, the next step is to execute the composed service. This can 
be accomplished by translating the 7r-calculus representation in a more commonly used, executable Web 
Services description language such as the previously mentioned WSDL, BPEL4WS, or OWL-S. 

In our project so far, before undertaking the formal translation of 7i-calculus to any other model, we 
are focusing on visualising and checking the results empirically. This is accomplished by introducing 
concrete 7r-calculus representations for each of the available services and simulating their execution by 
invoking the 7r-calculus reductions. 

We have, therefore, constructed a set of mappings for a systematic interpretation of CLL judgements 
to 7T-calculus processes. These mappings provide an intuitive interpretation that satisfies the correspond- 
ing properties and follows the expected behaviour (as far as TT-calculus reductions are concerned). We 
present them in Figure [8] 

Following these empirical translations, we introduce 7T-calculus terms for each of the available ser- 
vices. We, therefore, instantiate the "black boxes" in our initial result with an executable 7i-calculus term. 



2 Note how both sll and cic are substituted by z3 in order to accomplish this interaction. 
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A s(...).0 

A L a(...).0 

Ag)B (va,Z»)(z(a,Z»).(S(...).0 || ft(...)-0)) 

A^ 2 ?^ z(a,£>).(a(...).0 || &(...).0) 

A®B (va,b){z{u,v).(u{x}.x(...).0 + v(y).y(...).0)) 

A L &B L (va,b)(i(u,v).lu(x).x(...).0 + v(y).y(...).0)) 

Figure 8: Translations of CLL terms to 7r-calculus. 



Moreover, we introduce a 7i-calculus term for a Request service. This service can be viewed as the client 
for the requested composite service. It will interact with the 7r-calculus term of the latter to verify its 
functionality. In this particular example, it will provide the expected input, ie. the price limit, skill level, 
height and weight, and expect the desired output, namely the price in NOK or an exception. We present 
the introduced 71-calculus services in Figure [9] The parallel composition of the Request service and the 
derived composite service Composition from Figure |7]is introduced as the Main service to complete our 
model. 

SelLen(slh,slw,sll,lc) = slh(hc).slw(wk).sll{lc) .0 

Cm2In(cic,cli,li) = cic(lc).cli(li) .0 

U sd2Nok(unu,unn,pn) = unu(pu) .un?i(pn) .0 

SelMod {smp, sms, smm, br, mo) = smp(pl) .sms(sl).(y smb, smo) (smm{smb, smo) .smb(br) .smo{mo) .0) 

SelSki{ssb, ssm, ssl,sso, pu, ex) = (v ssp,sse) (ssb(br) .ssm(mo).ssl(li) .sso(u, v) . (u(ssp) .ssp(pu) .0 + v(sse) .sse{ex) .0)) 

Request [smp, pi, sms, si, slh, he, slw, wk, t,puc, exc) = 

smp(pl) .sms(sl) .slh(hc) .slw{wk) .t(puc, exc) . (puc(x) .x(pu).0 + exc(y) -y(ex) .0) 

MainQ = Request [smp, pi, sms, si, slh, he, slw, wk, t,puc, exc) \ \ Composition(smp, sms, slh, slw, t,puc, exc) 

Figure 9: The available services and the Request service for the Ski example defined as 7r-calculus 
processes. 

It is important to note that these particular concrete representations are not unique in 7r-calculus. 
However, they were designed to be as simple and straightforward as possible. Our aim is to empirically 
confirm the correctness of the constructed composition and its associated information flow. Since the 
composition makes no assumptions about the involved component services (apart from the names of 
the channels through which the services can be interfaced), any valid 7r-calculus representation of these 
services is acceptable. 



Our complete set of services was given as input to the PiVizTool (see Section 2.2.1 1. This system 
allows the visualisation of the various services and their interactions (corresponding to 7r-calculus reduc- 
tions). Eight consecutive snapshots (out of a total of 17) from the resulting visualisation are shown in 



Figure 10 Each edge represents a possible interaction between two agents. The grey edges represent 
interactions that are currently blocked whereas the black edges represent interactions that can occur im- 
mediately on the next execution step. Each snapshot is the result of applying one 7i-calculus reduction in 
the previous state. 



For example, in snapshot 6 of Figure 10 the SelLen service interacts with Cmlln through channel 
z3 (automatically renamed to z3#8 by PiVizTool to avoid clashes). Essentially, this corresponds to the 
conversion of the output of the SelLen service from centimeters to inches via the Cmlln service as we 
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Figure 10: Consecutive snapshots of the Ski example Ti-calculus result taken from PiVizTool. 

discussed in the previous section. The result after the interaction is shown in snapshot 7. 

The PiVizTool simulation plays an important role towards empirically verifying that our result sat- 
isfies the requested service without the initial need for a more concrete execution model. Our process 
behaves as expected indicating that the available services have been succesfully composed. 

Additionally, PiVizTool provides the definition and execution trees of the composed service. These 
are tree visualisations of the definitions and execution sequence for each of available services respec- 
tively. These trees are also helpful towards understanding and analysing the behaviour of the composite 
service. 

5 Related work 

There are two main directions in the research over Web Services composition: one involves the use of 
workflow techniques while the other relies on AI planning ifTTTl . 

The workflow techniques rely on the requester building an abstract process model, including a set of 
required tasks and their data dependencies. The aim is then to build a graph of atomic services that can 
fulfill this role. An example of such a workflow-based system is EFlow Q. 

In the AI planning approach, services are considered as actions with specified preconditions and 
effects. A planner then attempts to discover the appropriate combination of actions that will lead to a 
goal state starting from an initial state. An example of such system is SWORD [ 20 ] which uses rule-based 
planning for the composition of services. 

Theorem proving techniques, such as the one used in the current work, are considered part of the 
planning approach to Web Services composition. There have been multiple attempts at using theorem 
provers in this context. Waldinger, for instance, based his work on automated deduction and program 
synthesis [30]. He used the theorem prover SNARK (III to provide proofs for service composition 
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problems described in classical first-order logic. Lammermann worked on structural synthesis of pro- 
gram, a deductive approach that utilises intuitionistic propositional logic lPT4l . Finally, Rao et al. used 
prepositional Linear Logic theorem proving with DAML-S based proofs ll22l|23l . 

The latter has been the main motivation for this work. However, after carefully analysing the work 
of Rao et al., we detected a number of potential inconsistencies. For example, the process calculus 
being used is an extension of the 7r-calculus. However, no guarantees are given that the two calculi are 
equivalent or that the Bellin and Scott proofs are valid for the extended process calculus. Additionally, 
they use Intuitionistic Linear Logic in a two-sided sequent calculus, which is also not guaranteed to 
be equivalent to the one-sided CLL approach of Bellin and Scott. Moreover, a number of so-called 
"structural congruence rules" that contain both CLL terms and channel names were introduced. These 
rules were not formally derived and their syntax can easily result in an incorrect interpretation. Finally, 
even though the system theoretically supports non-functional properties and exponentials, the proof of the 
Ski example ignores them. Non-functional properties are crucial towards a quality-driven composition, 
whereas adding the exponentials would make the logic undecidable. 

Using our system and the higher order logic backround of HOL Light we were able to provide a 
rational reconstruction of Rao's work. This includes a formal interpretation (using CLL and the %- 
calculus) of some of Rao's introduced concepts such as composite and optional ports and channels and 
the verification of some their properties and structural congruence rules. The lack of published code and 
more examples made this a fairly challenging undertaking. 

6 Conclusion and Future work 

We have described our efforts towards the implementation of a rigorous framework for Web services 
composition using the higher order logic proof assistant HOL Light. Our approach is based on the 
proofs-as-processes paradigm originally introduced by Abramsky, Bellin and Scott. 

In contrast to the work of Rao et al., we have attempted to remain faithful to the original theory 
of Bellin and Scott by using CLL in conjunction with the standard polyadic Ti-calculus syntax. Our 
implementation has shown some promising results and there is sufficient room for improvements and 
further work. In particular, interesting properties such as liveness, safety, and deadlock-freedom have 
not been investigated in this work yet. These, along with the automation of our CLL proofs and further 
evaluation of the system, are part of our next goals. 

The Bellin and Scott translation has the interesting property of keeping the 7i-calculus annotations 
and the CLL proof completely independent of each other. This means that the CLL proof is not affected 
by the attached process calculus terms. In fact, if we completely remove the annotations, the proofs 
are perfectly valid CLL proofs. We plan to exploit this property in our attempt to utilise external tools 
to automate our proofs. Our effort will focus on finding and using tools (such as llprover [28]) that 
can perform automated CLL proofs and return the entire proof script, which can then be integrated and 
verified by our HOL Light framework. 

We will also be focusing on further system evaluation. Our implementation test set is currently using 
Rao's Ski example as its main case. In the next stages of this work we will gather practical examples 
from existing web services projects, such as the SENSORIA Project 11311 . where verified composition is 
desirable. Moreover, we will compare our system with related systems in the field. We also note that it 
is important to find examples of composable web services with non-functional properties. The potential 
of our framework to incorporate such properties in the composition sets it apart from related work. 

Another important part of our future work is to establish formal translations from the composite 
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services produced by our system in Ti-calculus to more widely used and more concrete Web Services 
description languages, including WSDL and OWL-S. This involves the proper translation of the com- 
posite service's control flow, including notions such as sequence that are not explicitly represented in 
TT-calculus. 

In conclusion, we believe that our work contributes to both the Web Services and theorem prov- 
ing/formal verification research areas. On the one hand, we are working towards a fully verified Web 
services composer using theorem proving techniques while promoting theoretical research in this area. 
On the other hand, the variety of tools and tactics that we have developed may provide a reusable and 
extensible library, which may prove useful in other formal verification or theorem proving projects in the 
area and beyond. 
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